Overview

overview

10

Static

static

clb.dll

windows7_x64

10

clb.dll

windows10_x64

10

Resubmissions

19-10-2021 21:50

211019-1qatvshcgr 10

19-10-2021 15:20

211019-sq1raahack 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    clb.dll

  • Size

    588KB

  • Sample

    211019-1qatvshcgr

  • MD5

    4f142d0fca158d333b98bd20ec2c70c8

  • SHA1

    716cab4911102cd47ebc577d5712ade3f55e1729

  • SHA256

    25e33433712124d16fdd126ee77c34309bd01680e50c1269a4d1ea2d59f3b8a1

  • SHA512

    50a73179c814ebf6bf78142d9de61565f4cdf0886bbb6525cf37b4acae729b7b913a3f085d63bc482f63ee2099a638e3e519a41aba5e63a3078d577e56bc7826

Score
10/10
trickbotrob136bankercollectionsuricatatrojan

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

rob136

C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Targets

    • Target

      clb.dll

    • Size

      588KB

    • MD5

      4f142d0fca158d333b98bd20ec2c70c8

    • SHA1

      716cab4911102cd47ebc577d5712ade3f55e1729

    • SHA256

      25e33433712124d16fdd126ee77c34309bd01680e50c1269a4d1ea2d59f3b8a1

    • SHA512

      50a73179c814ebf6bf78142d9de61565f4cdf0886bbb6525cf37b4acae729b7b913a3f085d63bc482f63ee2099a638e3e519a41aba5e63a3078d577e56bc7826

    Score
    10/10
    trickbotrob136bankersuricatatrojancollection

    • Contacts Bazar domain

      Uses Emercoin blockchain domains associated with Bazar backdoor/loader.

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • suricata: ET MALWARE TrickBot Related Activity (GET)

      suricata: ET MALWARE TrickBot Related Activity (GET)

      suricata

    • suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2

      suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2

      suricata

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks